Scan Report
5 /100
worst-travel-challenge
AI travel challenge skill that intentionally plans the worst-rated flights, hotels, and attractions using FlyAI real-time data, with snarky commentary and travel content generation.
This skill is a pure Markdown documentation package for a creative travel-planning AI agent. No executable code, scripts, binaries, or sensitive operations exist — only markdown documentation describing FlyAI CLI command usage.
Safe to install
No action required. The skill is a benign creative travel planning tool with no security concerns.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations in any file |
| Shell | NONE | NONE | — | Only describes CLI command names in documentation; no subprocess/exec calls |
| Network | NONE | NONE | — | FlyAI CLI tool handles network calls externally; skill itself makes no network r… |
| Environment | NONE | NONE | — | No environment variable access in any file |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database operations |
7 findings
Medium External URL 外部 URL
https://img.shields.io/badge/version-1.1.0-blue.svg README.md:9 Medium External URL 外部 URL
https://img.shields.io/badge/FlyAI-Required-orange.svg README.md:10 Medium External URL 外部 URL
https://flyai.open.fliggy.com README.md:10 Medium External URL 外部 URL
https://img.shields.io/badge/license-MIT-green.svg README.md:11 Medium External URL 外部 URL
https://img.shields.io/badge/ClawHub-Verified-purple.svg README.md:12 Medium External URL 外部 URL
https://www.clawhub.com README.md:12 Medium External URL 外部 URL
https://a.feizhu.com/xxxxx references/README.md:72 File Tree
3 files · 38.4 KB · 1048 lines Markdown 3f · 1048L
├─
▾
references
│ └─
README.md
Markdown
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@fly-ai/flyai-cli | not specified | npm | No | External npm CLI tool; no credentials required; skill declares version-less install as acceptable |
Security Positives
✓ Pure markdown documentation package — zero executable code
✓ No sensitive file access (no ~/.ssh, ~/.aws, .env, etc.)
✓ No credential harvesting or environment variable reading
✓ No network exfiltration or C2 communication
✓ No obfuscation techniques (no base64, no eval, no encoded payloads)
✓ No supply chain risks — declared dependency is a public npm tool with no credentials required
✓ Declared FlyAI CLI commands are travel-search utilities, not dangerous operations
✓ Explicitly states no API key or credential requirement
✓ Includes appropriate safety constraints (user confirmation, budget adherence, illegal-activity prohibition)
✓ No reverse shell, C2, or persistence mechanisms